https://community.splunk.com/t5/Getting-Data-In/Filter-records-based-on-whether-any-records-of-a-group-match-a/m-p/191701#M38169 <P>What do you think about create a new field for each source ip called Query_only? The search would filter out any Query_only=False, and then set it to False if the record contains more than a single "Q" and then filters it out.</P> <PRE><CODE>| while dns_type_ip!=False | if(dns_type!="Q", eval dns_type_ip="False" by src_ip) | while dns_type_ip!=False </CODE></PRE> <P>..or maybe streamstats.. I am not completely clear on how it is used and have only seen it used to evaluate the current record in light of evaluations on a previous record.</P> Mon, 28 Sep 2020 16:10:05 GMT landen99 2020-09-28T16:10:05Z https://community.splunk.com/t5/Getting-Data-In/Filter-records-based-on-whether-any-records-of-a-group-match-a/m-p/191697#M38165 <P>In general, I am trying to filter records based on whether any records of a group match a given criteria.</P> <P>Specifically, I want to discard all DNS records from any IP where a DNS record is seen with an R in it (to the left of the Q):<BR /> But records from any IP where that look like the following to be discarded:<BR /> 3/17/2014 2:00:18 PM 06E4 PACKET 000000000F458210 UDP Rcv xx.yyy.zz.48 1234 R Q [0001 D NOERROR] A .server005.mycorp.com.</P> <P>I used the field extractor tool to put the R and Q values into the field, dns_type.</P> <P>How do I do a search which filters based on whether all records of a group do not contain specified field values? Will we have to use streamstats or is there an easier way?</P> Mon, 17 Mar 2014 20:19:26 GMT https://community.splunk.com/t5/Getting-Data-In/Filter-records-based-on-whether-any-records-of-a-group-match-a/m-p/191697#M38165 landen99 2014-03-17T20:19:26Z https://community.splunk.com/t5/Getting-Data-In/Filter-records-based-on-whether-any-records-of-a-group-match-a/m-p/191698#M38166 <P>What do you mean by "a group"?</P> Tue, 18 Mar 2014 16:13:41 GMT https://community.splunk.com/t5/Getting-Data-In/Filter-records-based-on-whether-any-records-of-a-group-match-a/m-p/191698#M38166 lguinn2 2014-03-18T16:13:41Z https://community.splunk.com/t5/Getting-Data-In/Filter-records-based-on-whether-any-records-of-a-group-match-a/m-p/191699#M38167 <P>In the dns example, the group is the source ip. So if a source ip generates dns reply traffic then all dns traffic from that ip should be discarded. Records of ip addresses without any dns reply traffic would be kept.</P> <P>It would probably be more clear to use the word "field" instead of group, but I am grouping these records by source ip in my mind so I am thinking in terms of these source ip groups.</P> Tue, 18 Mar 2014 16:20:48 GMT https://community.splunk.com/t5/Getting-Data-In/Filter-records-based-on-whether-any-records-of-a-group-match-a/m-p/191699#M38167 landen99 2014-03-18T16:20:48Z https://community.splunk.com/t5/Getting-Data-In/Filter-records-based-on-whether-any-records-of-a-group-match-a/m-p/191700#M38168 <P>Without more information about how to define "a group", this is sort of a shot in the dark but -<BR /><BR /> Also, I assume that <CODE>dns_type</CODE> could have "R Q" as a value, and that there is a field named <CODE>ip</CODE> containing the ip address.</P> <P>To simply eliminate events with of the dns_type, you could do this</P> <PRE><CODE>yoursearchhere dns_type!="R Q" </CODE></PRE> <P>But let's assume that you want to eliminate events from any ip that was associated with an event with a <CODE>dns_type</CODE> of "R Q":</P> <PRE><CODE>yoursearchhere NOT [ search dns_type="R Q" | dedup ip | fields ip ] </CODE></PRE> <P>This should work as long as the number of ip's returned from the subsearch is relatively small. It will not be a particularly fast search, though, as both the subsearch and the use of <CODE>NOT</CODE> will slow things down.</P> Tue, 18 Mar 2014 16:25:25 GMT https://community.splunk.com/t5/Getting-Data-In/Filter-records-based-on-whether-any-records-of-a-group-match-a/m-p/191700#M38168 lguinn2 2014-03-18T16:25:25Z https://community.splunk.com/t5/Getting-Data-In/Filter-records-based-on-whether-any-records-of-a-group-match-a/m-p/191701#M38169 <P>What do you think about create a new field for each source ip called Query_only? The search would filter out any Query_only=False, and then set it to False if the record contains more than a single "Q" and then filters it out.</P> <PRE><CODE>| while dns_type_ip!=False | if(dns_type!="Q", eval dns_type_ip="False" by src_ip) | while dns_type_ip!=False </CODE></PRE> <P>..or maybe streamstats.. I am not completely clear on how it is used and have only seen it used to evaluate the current record in light of evaluations on a previous record.</P> Mon, 28 Sep 2020 16:10:05 GMT https://community.splunk.com/t5/Getting-Data-In/Filter-records-based-on-whether-any-records-of-a-group-match-a/m-p/191701#M38169 landen99 2020-09-28T16:10:05Z https://community.splunk.com/t5/Getting-Data-In/Filter-records-based-on-whether-any-records-of-a-group-match-a/m-p/191702#M38170 <P>I would avoid <CODE>streamstats</CODE> - I don't think it will be particularly helpful here, and it will probably <EM>not</EM> be faster than a subsearch.</P> Wed, 19 Mar 2014 00:04:09 GMT https://community.splunk.com/t5/Getting-Data-In/Filter-records-based-on-whether-any-records-of-a-group-match-a/m-p/191702#M38170 lguinn2 2014-03-19T00:04:09Z https://community.splunk.com/t5/Getting-Data-In/Filter-records-based-on-whether-any-records-of-a-group-match-a/m-p/191703#M38171 <P>What happens if you do this?</P> <P><CODE>yoursearchhere NOT [ search dns_type="R Q" | dedup src_ip | fields src_ip ]</CODE></P> Wed, 19 Mar 2014 00:06:30 GMT https://community.splunk.com/t5/Getting-Data-In/Filter-records-based-on-whether-any-records-of-a-group-match-a/m-p/191703#M38171 lguinn2 2014-03-19T00:06:30Z https://community.splunk.com/t5/Getting-Data-In/Filter-records-based-on-whether-any-records-of-a-group-match-a/m-p/191704#M38172 <P>I have the field extracted so that dns_type is either R or Q even when there is "R Q" in the text. The search you suggested works:</P> <PRE><CODE>sourcetype=dns | mysearch | search NOT [ search dns_type="R" | dedup src_ip | fields src_ip ] </CODE></PRE> <P>I never knew you could bracket a search string under a not. Thank you. Why do you have "fields src_ip"?</P> Wed, 19 Mar 2014 13:20:26 GMT https://community.splunk.com/t5/Getting-Data-In/Filter-records-based-on-whether-any-records-of-a-group-match-a/m-p/191704#M38172 landen99 2014-03-19T13:20:26Z https://community.splunk.com/t5/Getting-Data-In/Filter-records-based-on-whether-any-records-of-a-group-match-a/m-p/191705#M38173 <P>The subsearch (which starts with <CODE>[</CODE> and ends with <CODE>]</CODE>) returns a set of results. The <EM>only</EM> thing I want from those results is a list of the <CODE>src_ip</CODE> values. The <CODE>fields src_ip</CODE> causes the subsearch to return a list of the <CODE>src_ip</CODE> values. </P> <P>You can actually see the sub-search results if you check out the search job inspector after the search is finished.</P> <P>Also, you can probably make your search go even faster if you don't put the pipes in it - they just add extra steps:</P> <P><CODE>sourcetype=dns mysearch NOT [search .... ]</CODE></P> <P>should work fine</P> Wed, 19 Mar 2014 22:59:39 GMT https://community.splunk.com/t5/Getting-Data-In/Filter-records-based-on-whether-any-records-of-a-group-match-a/m-p/191705#M38173 lguinn2 2014-03-19T22:59:39Z